From 5e5496d00b5025aede227b4e3bde42bee2bd04e1 Mon Sep 17 00:00:00 2001 From: msaf1980 Date: Wed, 26 Oct 2022 11:54:00 +0500 Subject: [PATCH] sanitize error output for prevent XSS issues --- webapp/graphite/errors.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/webapp/graphite/errors.py b/webapp/graphite/errors.py index 289541798a..231edac239 100644 --- a/webapp/graphite/errors.py +++ b/webapp/graphite/errors.py @@ -94,6 +94,15 @@ def __str__(self): return msg +def escape(s): + # Replace special characters "&", "<" and ">" to HTML-safe sequences. + s = s.replace("&", "&") # Must be done first! + s = s.replace("<", "<") + s = s.replace(">", ">") + + return s + + # decorator which turns InputParameterExceptions into Django's HttpResponseBadRequest def handleInputParameterError(f): def new_f(*args, **kwargs): @@ -102,6 +111,6 @@ def new_f(*args, **kwargs): except InputParameterError as e: msgStr = str(e) log.warning('%s', msgStr) - return HttpResponseBadRequest(msgStr) + return HttpResponseBadRequest(escape(msgStr)) return new_f